Privacy Policy

Sales Anchor — Multi-Channel CRM SaaS for B2B Trading Card Exporters
Operated by: HIGH LIFE JPN (Representative: Shingo Tanizawa)
Effective Date: May 21, 2026
Last Updated: May 21, 2026
Version: 1.5

Introduction

HIGH LIFE JPN ("we," "us," or "our") provides Sales Anchor ("the Service"), a multi-channel integrated Customer Relationship Management (CRM) SaaS for business-to-business (B2B) Trading Card Game (TCG) exporters.

This Privacy Policy ("Policy") describes how we collect, use, store, and share personal information in connection with the Service.

This Policy complies with the Act on the Protection of Personal Information of Japan ("APPI"), the Meta Platforms, Inc. Platform Terms, and other applicable international privacy laws, including the EU General Data Protection Regulation ("GDPR") where applicable to individuals located in the European Economic Area.

Scope of Audiences

This Policy applies to two categories of individuals: Users (personnel of client companies who log into and operate the Service), and End Users (customers of our clients whose data is indirectly processed through Messenger and similar channels). Specific handling for each category is described in the relevant sections.

1. Business Operator Information

1.1 Name of Operator

Business Name: HIGH LIFE JPN (Trade Name)
Representative: Shingo Tanizawa

1.2 Business Address

Address: 2F, Nishi-Shinjuku Mizuma Building, 3-3-13 Nishi-Shinjuku, Shinjuku-ku, Tokyo 160-0023, Japan

1.3 Contact Information

Inquiry Email: support@salesanchor.jp
Website: https://salesanchor.jp

1.4 Personal Information Protection Manager

Data Protection Officer: Shingo Tanizawa (Representative)
Contact: support@salesanchor.jp

2. Scope of Application

2.1 Applicable Subjects

This Policy applies to:

Users of the Service (Sales Anchor)
End Users whose data is processed through the Service
Visitors to the Service website (https://salesanchor.jp)

2.2 Excluded Subjects

This Policy does NOT apply to:

Systems and services independently operated by client companies
Data collected by third-party services such as Meta Platforms, Inc. (Facebook, Instagram, WhatsApp) — their respective privacy policies apply
External sites linked from the Service

3. Information We Collect

3.1 Information Collected from Users

During registration and use of the Service, we collect the following information:

Type	Examples	Collection Method
Account Information	Name, Email Address	Registration form
Authentication	Google Identity Platform ID	OAuth 2.0
Company Affiliation	Tenant ID, Role	At account issuance
Usage Logs	Login timestamp, operation history	Automatic logging
IP Address	Client IP address	Automatic logging

3.2 Information Collected from End Users

When client companies communicate with End Users through the Service, we collect and process the following information:

Type	Examples	Source
Message Content	Text, emojis, attachments	Meta Webhook
Sender Identifier	PSID, IGSID, Phone number	Per channel
Message Timestamp	Sent/received time	Meta Webhook
Public Profile Info	Display name, profile picture	Meta Graph API
Reactions	Emoji reactions, read receipts	Meta Webhook

Important: End Users are not our direct customers. End Users are customers of client companies that use the Service. We act as a "Data Processor" handling data on behalf of client companies. Primary responsibility for End User data rests with the client companies.

3.3 Cookies and Technical Information

The Service collects the following technical information:

Cookie / Data	Purpose	Retention
Session cookie (`session_id`)	Maintaining authenticated login state	Until browser session ends or logout
CSRF token (`csrf_token`)	Cross-site request forgery protection	Until browser session ends
Browser / device info	Optimizing user experience and detecting unusual access	Access logs: 12 months
IP address	Security monitoring and unauthorized access detection	Access logs: 12 months

We do not use advertising tracking cookies, analytics cookies, or any third-party tracking technologies. No data is shared with advertising networks.

4. Meta Platform Integration

4.1 Relationship with Meta Platform

The Service utilizes the following APIs and services provided by Meta Platforms, Inc.:

Meta Graph API (Messenger, Instagram Direct Messages)
Meta Webhook (real-time message reception)
Facebook Login (OAuth 2.0 authentication)

4.2 Requested Permissions

When a client company connects a Facebook Page to the Service, we request the following permissions:

Permission	Purpose
pages_messaging	Send and receive Messenger messages
pages_manage_metadata	Manage Webhook subscriptions
pages_show_list	Retrieve list of Pages managed by client
pages_read_engagement	Read basic Page information
instagram_basic	Read Instagram Business account information
instagram_manage_messages	Send and receive Instagram DMs
Human Agent Tag	Message sending outside 24-hour window (for human agent responses)

4.3 Handling of Data from Meta

Data obtained from Meta Platform is handled under the following principles:

Used solely to facilitate communication between client companies and their customers
Complies with Article 3 (Data Use) of the Meta Platform Terms
Never sold to third parties or used for advertising
Never used as AI training data

4.4 AI-Assisted Message Translation

The Service provides an optional AI-assisted translation feature that helps sales representatives understand messages written in foreign languages. When this feature is used, message text received via Messenger or Instagram Direct Messages may be sent to Google LLC's Gemini API (gemini-2.5-flash model) for translation processing.

Data sent: Message text only (no sender identifiers or profile information)
Purpose: Translating message content into the language selected by the sales representative
Processor: Google LLC (United States) — operating as a data processor under a Data Processing Addendum (DPA)
Training use: Google does NOT use API inputs or outputs to train its models under the paid API terms
Caching: Translation results are cached in our database (tenant schema: message_translations table) to avoid redundant API calls. This cache is deleted as part of the data deletion process (see Section 9)
Legal basis (APPI): Outsourcing (委託) under Article 25 of the APPI; Google LLC is supervised as a sub-processor
Legal basis (GDPR): Legitimate interests (providing the contracted translation feature) under Article 6(1)(f) GDPR

5. Purpose of Use

5.1 Purpose for User Information

User information is used for the following purposes:

Providing, operating, and improving the Service
User authentication and session management
User support and responding to inquiries
Detecting and responding to violations of Terms of Service
Legal compliance and responding to legal requests
Service notifications and maintenance announcements

5.2 Purpose for End User Information

End User information is used solely for the following purposes:

Mediating message transmission between client companies and End Users
Storing conversation history for reference by client companies
AI-assisted translation of message content via Google Gemini API (optional feature; message text only; see Section 4.4)
Complying with Meta Platform policies such as the 24-hour window rule
Detecting fraudulent activity
Legal compliance and responding to legal requests

Important Notice Regarding Data Use: We do NOT use collected data for advertising targeting, sale to third parties, AI training data, or marketing distribution (except with client company consent and compliance with Meta Terms).

6. Data Storage and Retention

6.1 Storage Location

The primary database and file storage for the Service are hosted on a Virtual Private Server (VPS) provided by SAKURA internet Inc., physically located in Japan.

However, the Service relies on third-party service providers that process certain data outside Japan. Specifically, authentication data is processed by Google LLC (United States), message data passes through Meta Platforms, Inc. infrastructure (United States), DNS queries are processed by Cloudflare, Inc. (United States), and source code is managed on GitHub, Inc. servers (United States). These transfers are described in detail in Section 7. EU residents: see Section 13 for the legal basis for cross-border transfers.

6.2 Encryption

Data is encrypted using the following methods:

In transit: TLS 1.3 (HTTPS with Let's Encrypt certificate)
At rest: sensitive information (access tokens, etc.) encrypted with Fernet symmetric encryption
Backups stored on separate servers in encrypted form

6.3 Retention Period

Data Type	Retention Period
User Account	During account active period
Message History	Main DB: Recent 3 years / Archive DB: Beyond 3 years (deletable upon client request)
End User Identifiers (PSID / IGSID)	Same as message history; deleted upon data deletion request
Authentication Tokens	Maximum 60 days (Meta specification)
Access Logs	12 months
Audit Logs	5 years (for legal compliance)

6.4 Post-Contract Handling

When a client company terminates use of the Service, we delete their data within 90 days after contract termination. However, data legally required to be retained will be kept until the end of the applicable period.

7. Disclosure to Third Parties

7.1 General Principle

We do NOT disclose personal information of Users or End Users to third parties, except:

With consent of the individual (or client company)
When required by law
When necessary for the protection of human life, body, or property
For necessary outsourcing for Service provision (described below)

7.2 Service Providers

We engage the following service providers for data processing. We have executed data processing agreements with all providers and maintain appropriate oversight.

Provider	Purpose	Location
SAKURA internet Inc.	Server infrastructure	Japan
Google LLC	Authentication (Google Identity Platform) / AI-assisted message translation (Gemini API — paid tier, DPA in place)	United States
Meta Platforms, Inc.	Messenger/Instagram API	United States
Cloudflare, Inc.	DNS	United States
GitHub, Inc.	Source code management	United States

7.3 Transfer to Foreign Third Parties

For service providers located outside Japan, data transfer is conducted under the following conditions:

Limited to what is necessary for the functionality of each provider's service
Protected under each provider's privacy policy and security standards
Compliant with Article 28 of the APPI

8. Your Rights

8.1 Rights

Users and End Users have the following rights regarding their personal information:

Right	Description
Right of Access	Right to request disclosure of personal information held by us
Right to Rectification	Right to request correction of inaccurate personal information
Right to Erasure	Right to request deletion of personal information
Right to Restriction	Right to request restriction of processing
Right to Portability	Right to request data in a structured format
Right to Complain	Right to lodge a complaint with a supervisory authority

8.2 How to Exercise Your Rights

To exercise these rights, contact us by email at support@salesanchor.jp. Please include "Personal Information Request" in the subject line. We may request additional information for identity verification.

8.3 Response Period

We will respond to requests within a reasonable period (typically 30 days) after receipt. If response is difficult due to legal or operational reasons, we will provide an explanation.

9. Data Deletion Request Procedure

For detailed deletion procedures, see our dedicated page: Data Deletion

9.1 Deletion Request from End Users

End Users who sent messages through Meta Platform can request data deletion using either of the following two methods:

Method 1: Deletion via Meta Platform (Automated)

Open Facebook "Settings" → "Apps and Websites"
Select "Sales Anchor" and click "Remove"
Meta sends an automated deletion request to our Data Deletion Callback URL (https://api.salesanchor.jp/api/v1/meta/data-deletion)
Our system verifies the request via HMAC-SHA256 signature and initiates deletion automatically
You will receive a confirmation code (format: DEL-YYYYMMDD-xxxx) to track deletion status at https://salesanchor.jp/deletion-status
Deletion from the main database is completed within 14 days; full deletion including backups within 30 days

Method 2: Direct Inquiry

Email: support@salesanchor.jp
Subject: "Data Deletion Request"
Body: information to identify yourself (name, display name on Meta, approximate message date/time)

9.2 Deletion Process

Upon receiving a deletion request, we will:

Begin deletion within 7 business days of receipt
Delete message history (meta_messages) from the main database
Delete AI translation cache (message_translations) associated with the deleted messages
Delete data from the backup database (within 30 days)
Issue a confirmation code upon completion (with verification URL)
Deletion status verifiable at https://salesanchor.jp/deletion-status

9.3 Exceptions to Deletion

The following data may not be deletable due to legal obligations:

Tax-related documents (7-year retention obligation)
Audit logs (5-year retention obligation)
Data related to ongoing legal proceedings

10. Security Measures

10.1 Technical Safeguards

TLS 1.3 encryption for all communication paths
Fernet encryption for sensitive information such as access tokens
Multi-tenant isolation via PostgreSQL Row Level Security (RLS)
Tamper detection via Webhook signature verification (HMAC-SHA256)
Regular security updates

10.2 Organizational Safeguards

Appointment of Personal Information Protection Manager
Principle of least privilege for access rights
Audit log collection and periodic review
Employee training on handling personal information

10.3 Incident Response

In the unlikely event of a data breach, loss, or damage incident, we will:

Promptly investigate and take measures to prevent further damage
Notify affected Users and End Users
Report to the Personal Information Protection Commission (where legally required)
Develop and implement preventive measures

11. Minors

11.1 Age Restrictions

The Service is provided as a B2B business service and is not intended for use by individuals under 16 years of age.

If we become aware that information of a child under 16 has been included in the Service, we will promptly delete such information. Parents or guardians who suspect their child's information may be included should contact support@salesanchor.jp.

11.2 Relationship with Meta Platform

Meta Platform Terms also prohibit use by users under 13 (age varies by region). We comply with Meta Platform Terms and do not process data from such users.

12. Changes to this Policy

12.1 Amendment Procedure

We may update this Policy in response to changes in laws, modifications to the Service, or operational needs.

For significant amendments, we will notify Users and End Users by:

Notifications on the Service dashboard
Email to registered addresses
Publication on this website
Providing at least 14 days' notice period from the amendment date

12.2 Revision History

Version	Date	Main Changes
1.0	2026-04-22	Initial version
1.1	2026-04-23	Service name changed to "SalesAnchor"
1.2	2026-04-23	Domain finalized as salesanchor.jp
1.3	2026-04-30	Service name notation unified to "Sales Anchor" (with space)
1.4	2026-05-20	Full conversion to English-only; professional SaaS redesign (ADR-046)
1.5	2026-05-21	Effective Date updated to today; GDPR mention added; Cookie table added; Data Deletion Callback flow clarified
1.6	2026-05-21	§6.1 corrected: replaced inaccurate "no transfer outside Japan" with accurate description of US-provider data flows; §6.3 added PSID/IGSID retention period
1.7	2026-06-03	§4.4 added: AI-assisted message translation via Google Gemini API disclosure (APPI Art.25 outsourcing, GDPR Art.6(1)(f)); §5.2 updated: added AI translation purpose; §7.2 updated: Google LLC entry expanded to include Gemini API; §9.2 updated: AI translation cache (message_translations) added to deletion scope

13. Rights of EU/EEA Residents (GDPR)

If you are located in the European Economic Area, you have additional rights under the General Data Protection Regulation (GDPR):

Legal basis for processing: We process personal data on the basis of legitimate interests (providing the contracted CRM service), contractual necessity, and legal obligations.
Right to object: You may object to processing based on legitimate interests at any time.
Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
Cross-border transfers: Data is stored in Japan (SAKURA internet Inc.). Japan has been recognized by the EU Commission as providing adequate data protection. Transfers to Google LLC, Meta Platforms, Inc., Cloudflare, Inc., and GitHub, Inc. (United States) are made under Standard Contractual Clauses or equivalent safeguards.
Supervisory authority: You have the right to lodge a complaint with your local EU data protection authority.

To exercise any GDPR rights, contact us at support@salesanchor.jp with the subject line "GDPR Request".

14. Contact Information

14.1 Inquiries Regarding this Policy

For questions, comments, or requests regarding this Policy, please contact us at:

HIGH LIFE JPN
Representative: Shingo Tanizawa
Email: support@salesanchor.jp
Website: https://salesanchor.jp
Data Protection Officer: Shingo Tanizawa
Support Hours: Monday – Friday, 10:00 – 18:00 JST
(Excluding weekends, national holidays, year-end, and summer breaks)

14.2 Supervisory Authority

You have the right to lodge a complaint about our handling of personal information with the supervisory authority:

Personal Information Protection Commission, Japan
Website: https://www.ppc.go.jp/en/

This Policy is provided in English. It complies with the Act on the Protection of Personal Information of Japan (APPI), the EU General Data Protection Regulation (GDPR) where applicable, and the Meta Platform Terms.